enable 3DES SSL ciphersuites, RC4 is kept disabled (#1453066)

2017-06-15 15:17:26 +02:00 · 2017-06-15 15:17:26 +02:00 · 81258b6d2a
commit 81258b6d2a
parent 6b68d87d06
2 changed files with 37 additions and 1 deletions
--- a/openssl-1.1.0-weak-ciphers.patch
+++ b/openssl-1.1.0-weak-ciphers.patch
@ -0,0 +1,30 @@
+diff -up openssl-1.1.0f/ssl/s3_lib.c.weak-ciphers openssl-1.1.0f/ssl/s3_lib.c
+--- openssl-1.1.0f/ssl/s3_lib.c.weak-ciphers	2017-05-25 14:46:20.000000000 +0200
+++ openssl-1.1.0f/ssl/s3_lib.c	2017-06-15 15:12:51.555142528 +0200
+@@ -2425,7 +2425,7 @@ static SSL_CIPHER ssl3_ciphers[] = {
+      SSL_GOST89MAC,
+      TLS1_VERSION, TLS1_2_VERSION,
+      0, 0,
+-     SSL_HIGH,
+     SSL_MEDIUM,
+      SSL_HANDSHAKE_MAC_GOST94 | TLS1_PRF_GOST94 | TLS1_STREAM_MAC,
+      256,
+      256,
+@@ -2455,7 +2455,7 @@ static SSL_CIPHER ssl3_ciphers[] = {
+      SSL_GOST89MAC12,
+      TLS1_VERSION, TLS1_2_VERSION,
+      0, 0,
+-     SSL_HIGH,
+     SSL_MEDIUM,
+      SSL_HANDSHAKE_MAC_GOST12_256 | TLS1_PRF_GOST12_256 | TLS1_STREAM_MAC,
+      256,
+      256,
+@@ -2558,7 +2558,7 @@ static SSL_CIPHER ssl3_ciphers[] = {
+      },
+ #endif                          /* OPENSSL_NO_SEED */
+ 
+-#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
+#if 0 /* No RC4 */
+     {
+      1,
+      SSL3_TXT_RSA_RC4_128_MD5,
--- a/openssl.spec
+++ b/openssl.spec
@ -22,7 +22,7 @@
 Summary: Utilities from the general purpose cryptography library with TLS implementation
 Name: openssl
 Version: 1.1.0f
-Release: 2%{?dist}
+Release: 3%{?dist}
 Epoch: 1
 # We have to remove certain patented algorithms from the openssl source
 # tarball with the hobble-openssl script which is included below.
@ -60,6 +60,7 @@ Patch41: openssl-1.1.0-system-cipherlist.patch
 Patch42: openssl-1.1.0-fips.patch
 Patch43: openssl-1.1.0-afalg-eventfd2.patch
 Patch44: openssl-1.1.0-bio-fd-preserve-nl.patch
+Patch45: openssl-1.1.0-weak-ciphers.patch
 # Backported fixes including security fixes
 Patch70: openssl-1.1.0-thread-local.patch

@ -162,6 +163,7 @@ cp %{SOURCE13} test/
 %patch42 -p1 -b .fips
 %patch43 -p1 -b .eventfd2
 %patch44 -p1 -b .preserve-nl
+%patch45 -p1 -b .weak-ciphers

 %patch70 -p1 -b .thread-local

@ -240,6 +242,7 @@ RPM_OPT_FLAGS="$RPM_OPT_FLAGS -Wa,--noexecstack -DPURIFY"
 	--system-ciphers-file=%{_sysconfdir}/crypto-policies/back-ends/openssl.config \
 	zlib enable-camellia enable-seed enable-rfc3779 enable-sctp \
 	enable-cms enable-md2 enable-rc5 enable-ssl3 enable-ssl3-method \
+	enable-weak-ssl-ciphers \
 	no-mdc2 no-ec2m \
 	shared  ${sslarch} $RPM_OPT_FLAGS

@ -431,6 +434,9 @@ export LD_LIBRARY_PATH
 %postun libs -p /sbin/ldconfig

 %changelog
+* Thu Jun 15 2017 Tomáš Mráz <tmraz@redhat.com> 1.1.0f-3
+- enable 3DES SSL ciphersuites, RC4 is kept disabled (#1453066)
+
 * Mon Jun  5 2017 Tomáš Mráz <tmraz@redhat.com> 1.1.0f-2
 - only release thread-local key if we created it (from upstream) (#1458775)